Tuesday, August 26, 2008

ASP.NET security

ASP.NET security is mostly concerned with building secured sites that serve up pages only to authorized users. There are certain sites on the net that require login before displaying certain pages. These sites must implement some application level security to identify authorized users. This application-level security is provided using ASP.NET. It works in conjunction with IIS, the .NET platform and the underlying operating system security services.

Whenever a client tries to connect to a website, it has to make a request to the Web Server for a particular page. This request is known as a webrequest. To implement the security at application level, the application needs to take two actions—identify the person who has made the request to the web server and specify who can access which pages.

This action of identifying the caller of web page is known as authentication. Once authentication is done, it is decided which pages the caller can view. This is known as authorization. ASP.NET supports four types of authentication and authorization mechanisms.

- Windows authentication
- Passport authentication
- Forms authentication

Let us discuss them one by one.

Windows Authentication

This type of authorization is best suited for intranet applications. A user will be able to access a requested resource only if he has a valid and active account on Windows. Moreover that account needs to have permissions to access the specific resource. This type of authentication is very secured since it uses hash algorithms to encode and decode client’s credentials. However there are a few problems, this type of authentication does not work through most proxy servers, firewalls, and some routers. Hence this technique is not very suitable for Internet applications.

Setting up Windows authentication is simple. Just make the following settings in the ‘web.config’ file of your project.

These entries ask ASP.NET to use Windows authentication with Identity impersonation for the authentication. Simply doing this will not work if IIS is configured to accept anonymous requests to this website (by default IIS accepts anonymous requests to any Website). To turn off anonymous access to this site, follow the instructions given below.

(a) Start Internet Services Manager from Administrative tools in the Control Panel.
(b) In the IIS, explore the branch with name same as your local machine name.
(c) Explore ‘Default WebSites’.
(d) Locate the Website we want to authenticate using Windows authentication.
(e) Right click on it and select Properties. Property pages would get displayed.
(f) Select the tab named ‘Directory Security’
(g) Click on the edit button inside the group box named Anonymous access and authentication control
(h) In the following dialog, uncheck Anonymous access check box. Make sure Integrated Windows Authentication check box
is checked.
(i) Click OK to dismiss the dialogs.

This process will force IIS to pop up Windows authentication dialog before displaying the web page requested.

This can be done programmatically by modifying the section of the web.config file. Make the following changes to the authentication section



We instruct IIS to not to allow any users without proper authentication. The tag deny users=”?” will stop all unauthenticated users from accessing the website.

Passport Authentication

Passport authentication is a service provided by Microsoft. This service allows us to implement single SignIn for multiple applications or Websites that want to authenticate users. The user is expected to use only one user name and password to access all the sites more over, the user need not re-SignIn whenever he switches from one site to another (provided both sites support Passport authentication). For example, if site1.com and site2.com both support passport authentication, then if a user visits site1.com, sign in the site and then decide to visit site2.com, you will be automatically authenticated on the basis of the credentials you presented at site1.com. This is possible because whenever you sign into a Passport service supporting site, the service creates a secure cookie into our machine. Later when we visit another Passport supporting site, our browser presents this cookie. This cookie indicates that we have already been authenticated and no new authentication is required. To setup Passport authentication, following configuration needs to be added to the ‘web.config’ file.

But Passport service is not free. If we want to support Passport authentication on our website, we will have to subscribe to it.

Forms Authentication

Form based Authentication is best suited where very high degree of security is not required. We can use our own login form, replacing the default login provided by Windows. In almost all situations we will allow anonymous access to our website, since authentication is done by ASP.NET instead of IIS.

ASP.NET first checks whether there is any authentication cookie present in the request header. If cookie is present, we know that the user is already authenticated and his identity is present in the cookie. Otherwise the user is automatically redirected to our custom login page. The user then presents his login credentials. If the user is authenticated, we place a cookie in the request header and pass it on to ASP.NET other wise access is denied.

Form based authentication is configured in the ‘web.config’ file. The <authentication> section carries information regarding cookies, password formats, list of registered users, etc.

No comments:

Your Title